Implementing the CVE Manual Mitigation

This mitigation is for specific versions of TOS Classic only. Review the Summary table here to determine its applicability to the specific version of TOS Classic that you are running.

We recommend upgrading TOS Classic to a version that has resolved critical Log4j vulnerabilities as listed here. If you are unable to upgrade TOS Classic, the manual mitigation process below resolves issues related to CVE-2021-44228 and CVE-2021-45046 only, for the following releases:

  • TOS Classic R21-3 RC1

  • TOS Classic R21-2 HF2 and earlier versions of this release

  • TOS Classic R21-1 HF 4 and earlier versions of this release

Do not run this mitigation on any other releases of TOS Classic or TOS Aurora.

Prerequisites

Download the archive with the updated script from the Tufin Download Center.

The manual mitigation below updates to Log4j 2.16.0. It is also relevant for users that have already applied the mitigation using the instructions that were sent on December 14, 2021.

If you are running SecureTrack and SecureChange on separate servers, you must update both. If you are running an High Availability environment, you must update both the primary and secondary servers. If you are running a Distributed Architecture (DA) environment, you must update the Central Servers (including all servers if your Central Server is configure for HA), all Remote Collectors (RC) and all Distribution Servers (DS).

Run the following steps on each TOS server in your environment, including

  • SecureTrack Server and SecureChange server

  • HA environment: Primary server and Secondary sever

  • DA environment: All Central servers, all Remote Collectors (RC) servers, and all Distribution Servers (DS)

You can run this update on all your servers simultaneously.

Step1: Run the Upgrade Script

The script will upgrade the server Apache Log4j version 2.16.0.

  1. Copy the TGZ archive (available from the Tufin Download Center) to an empty folder on the TOS server.

  2. From the folder containing the archive run the following command:

    screen -S lg4jfix
    tar xvzf security_fix_log4j_v1.0.run.tgz
    ./security_fix_log4j_v1.0.run

    The process may take 30 minutes or more, during this time the server will be down. If the process runs with no errors, a confirmation message is displayed.

    Completed

  3. If you receive the following error, you can safely ignore it.

    ./replace_log4j.sh line 164: <PID> killed
    Error: Could not restart tufin-jobs service

    If you received the error above, wait ten minutes and confirm that tufin-jobs is running:

    service tufin-jobs status

Step 2: Log this Change

This step logs the manual change to the server. All information entered (including your name and email address) is stored locally on this server for audit purposes only, and is not sent to Tufin.

  1. Run the following command:

    /opt/tufin/securitysuite/scripts/local_change.sh add

  2. The system prompts you for a Title. Enter CVE-2021-44228 CVE-2021-45046 V1

    CVE-2021-44228 CVE-2021-45046 V1

  3. The system prompts you for a Description. Enter the following:

    local jar updated - check with Tufin support for upgrade path
    END

  4. The system prompts you for a Changer Name. Enter your first name and surname.

    FirstName Surname

  5. The system prompts you for an Email Address. Enter your email address.

    tos-admin@example.com

  6. The system prompts you for an SR Number. Enter 0

    0

  7. The system automatically adds a time stamp:

    Change added, timestamp: 2021-12-17_09-10-56

---

This is Version 1 of this topic, last updated Thursday, September 29, 2022 at 10:25 AM.